-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple basic_auth statements in caddy2 #81
Comments
Sure, that's something that can be added I'm pretty sure. |
I can add it but what json structure you want for doing this? |
Hi @mholt, can you choose one json format for multiple basicauths from below so I can start making a PR? "basicauths": [
{"user": "me", "password": "hunter"}
] "users": ["me"],
"passwords": ["hunter"], "basicauths": [
["me", "hunter"]
] |
Maybe one more choice for your reference: In traefik, users can configure multiple basicauths in a list. Below is an example of toml format used in traefik. # Declaring the user list
[http.middlewares]
[http.middlewares.test-auth.basicAuth]
users = [
"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
"test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
] I don't know implementation details but would be nice to use hashed passwords in conf, which is safe to expose in a plain text. Thanks. |
Thanks for helping with this! Before we go too far on this, I am quickly skimming the code and realizing that I only brought over the basicauth functionality to get the tests to pass temporarily. Caddy 2 already has a very flexible and capable authentication module that supports basicauth: https://caddyserver.com/docs/modules/http.authentication.providers.http_basic Ideally we wouldn't have any authentication logic in this proxy module at all, since it exists in that module. However, if it's necessary for probe resistance, then at least we should look into simply embedding that module into this one, rather than re-implementing it. For an example of this, Caddy's What do you think about that? Should be easier and faster right? |
Forward proxy in Caddy1 implements its own basicauth to try to avoid side channel attacks with this Lines 177 to 182 in 247c0ba
I'll have to remove this constant time compare if I'm to do it with the authentication module. Edit: Ok, the purpose of this constant time compare is to hide the existence of the auth check so to realize probe resistance, i.e. arbitrary auth input regardless of success or not should take the same amount of time. A real test case is that if I craft a Proxy-Authorization header with a very long password, and if it takes more time to process than a short password, this reveals the existence of an auth checking proxy. I don't think Caddy 2's auth module is capable of constant time authentication. Even hashed password as requested by wiserain above is suspect without audited constant time hashing algorithm. |
Any update for this? |
Any update on this? |
Fixed after #74 |
forwardproxy/forwardproxy.go
Lines 729 to 732 in 8d6f47b
Multiple basic_auth statements are not supported because it was not clear what json structure you wanted for doing it @mholt.
Some users are complaining klzgrad/naiveproxy#137.
The text was updated successfully, but these errors were encountered: